HTTP Security Headers Analyzer
Paste raw HTTP response headers to get a security scorecard with findings and recommendations.
Examples:
-
Score
| Header | Status | Value | Notes |
|---|
Other headers
How it works
Strict-Transport-Security (HSTS) - forces HTTPS for a specified duration. Use max-age=31536000; includeSubDomains; preload.
Content-Security-Policy (CSP) - controls which resources may load. Prevents XSS. Avoid unsafe-inline and unsafe-eval.
X-Frame-Options - prevents clickjacking by controlling framing. Prefer DENY or SAMEORIGIN.
X-Content-Type-Options - set to nosniff to prevent MIME-type sniffing attacks.
Referrer-Policy - controls how much referrer information is sent with requests.
Permissions-Policy - restricts access to browser features such as camera, geolocation, and microphone.
Security note
No single header makes a site secure. Use HSTS (1yr+), CSP without
unsafe-inline, X-Content-Type-Options: nosniff, and Referrer-Policy as a baseline for any production site.